Raxx · internal docs

internal · gated

RCA — Woodpecker CI OIDC login returns HTTP 500

Incident ID: 2026-07-04-woodpecker-alb-oidc-500 Date: 2026-07-04 Severity: SEV-2 Duration: ~55 min total (first signal 04:30Z → resolution available 05:25Z; operator-blocked on live SG change) Blast radius: Woodpecker CI server (ci.moosequest.net) — operator cannot log in; no pipelines can be triggered via UI. Webhook delivery unaffected (bypasses OIDC). Author: sre-agent

Summary

After the initial Woodpecker CI deployment (#4012), the operator completed the Google Workspace OIDC login flow but received HTTP 500 instead of being forwarded to Woodpecker. The 500 was generated by the ALB itself (HTTPCode_ELB_5XX_Count, not HTTPCode_Target_5XX_Count — Woodpecker had zero target errors). Root cause: the ALB security group (ci-alb-sg) had no egress rule for HTTPS (TCP 443) to the internet, so the ALB could not reach Google's OIDC token endpoint to exchange the authorization code for tokens. The fix is to add a TCP 443 egress rule to the ALB security group.

Timeline (all times UTC)

Impact

What went well

What didn't go well

Root cause analysis

Detection

Resolution

Immediate mitigation (operator must apply):

# Add HTTPS egress to ALB security group sg-021e0a55a9eb4219e
# Allows ALB to reach Google OIDC token + userinfo + discovery endpoints
aws ec2 authorize-security-group-egress \
  --group-id sg-021e0a55a9eb4219e \
  --ip-permissions '[{
    "IpProtocol":"tcp",
    "FromPort":443,
    "ToPort":443,
    "IpRanges":[{
      "CidrIp":"0.0.0.0/0",
      "Description":"HTTPS egress — ALB OIDC token exchange with Google endpoints"
    }]
  }]' \
  --region us-east-2

# Verify the rule was added
aws ec2 describe-security-groups \
  --group-ids sg-021e0a55a9eb4219e \
  --query 'SecurityGroups[0].IpPermissionsEgress' \
  --region us-east-2

Verification after live fix:

  1. Navigate to https://ci.moosequest.net in an incognito browser window.
  2. Complete Google OIDC login with a @moosequest.net account.
  3. Confirm you reach the Woodpecker UI (not a 500 or 403).
  4. Check Woodpecker /ci/admin/users — your GitHub user (MooseQuest) should now appear.

Durable IaC fix (complete): infra/ci/sg.tf — SG descriptions reconciled to live AWS values (avoids forced SG replacement on next apply); alb_to_internet_https egress rule (sgr-0e9e0a7fb13f18bfa) imported into state via terraform import. Plan post-import: 0 to add, 1 to change, 0 to destroy (tag addition to imported rule only — no SG replacements). Committed 25606e44 on fix/ci-infra-apply-corrections. terraform apply not required — state is converged; tag addition is safe to apply at any time.

Post-resolution cleanup:

# Restore Woodpecker log level to info (debug was enabled during diagnosis)
aws ssm start-session --target i-082ee835595d90ae0 --region us-east-2
# Then on the instance:
# sed -i 's/WOODPECKER_LOG_LEVEL=debug/WOODPECKER_LOG_LEVEL=info/' /opt/woodpecker/docker-compose.yml
# docker compose -f /opt/woodpecker/docker-compose.yml up -d

Action items

# Action Owner Due Issue Status
1 Apply live SG egress rule (TCP 443 → 0.0.0.0/0) to sg-021e0a55a9eb4219e operator 2026-07-04 DONE (sgr-0e9e0a7fb13f18bfa, applied manually)
2 Reconcile IaC: SG descriptions + import egress rule into state sre-agent 2026-07-04 #4028 DONE (commit 25606e44; plan 0/1/0 tag-only)
3 Add CloudWatch alarm: HTTPCode_ELB_5XX_Count ≥ 1 at ALB level sre-agent 2026-07-11 file open
4 Enable ALB access logging to S3 (Phase 2 item, now prioritized) sre-agent 2026-07-11 file open
5 Restore WOODPECKER_LOG_LEVEL=info on Woodpecker container operator 2026-07-04 open

References